Odd SP behavior re authn context
Matthew D Houser
mhouser at uwm.edu
Mon Oct 11 18:52:17 UTC 2021
I should have specified that the SP was throwing the error that there was no authn context, since the IdP was indeed disregarding the unspecified request.
Turns out though that the problem was that despite requesting "unspecified or better" what it really wanted was urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, and Azure AD was passing back urn:oasis:names:tc:SAML:2.0:ac:classes:Password.
I just mapped it and everything looks fine now.
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Friday, October 8, 2021 10:18 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Odd SP behavior re authn context
On 10/8/21, 3:20 PM, "users on behalf of mat houser" <users-bounces at shibboleth.net on behalf of mhouser at uwm.edu> wrote:
> In the authn request it's requesting this:
The IdP defaults to ignoring "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" in any requests (it's a set of ignored values that's in the configuration in a bean called shibboleth.IgnoredContexts), so if an SP requested that, the IdP would act as though nothing was requested and would NOT return an error.
But yes, it's nonsensical to ask for "better than unspecified", that makes no sense as you correctly inferred.
For Consortium Member technical support, see https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=04%7C01%7Cmhouser%40uwm.edu%7Cdd56b63cb1d64b304c3e08d98ad37ef9%7C0bca7ac3fcb64efd89eb6de97603cf21%7C0%7C0%7C637693463252958852%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SbrwOW3w7FmsUkeviM0FTP2URZ0bMb50GVCUWSzBg5A%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users